On this page

NTFS Disk Recovery

1 Situation

Mary, the daughter of a friend is in college: her Windows XP laptop
constantly reboots and, we suspect, has a bad hard drive. The system will boot
a live CD (Ubuntu 9.10 Karmic Koala Desktop), and data on the hard drive can be
read. During boot, the live CD identifies disk errors and tries unsuccessfully
to repair them.

2 Backup

Securing the information on the hard disk is priority #1. We don't know
what's wrong with the disk, so we need to make a backup disk image before we attempt a
repair. From a command prompt a directory is created at /media/server on the laptop's live cd environment to mount
a drive share to back up the laptop hard disk.

The server has previously been configured with an NFS share, but the live CD
doesn't have the NFS client installed. Fortunately the Ubuntu live CD can
download and install programs from the apt repository.

LiveCD$ sudo apt-get install portmap nfs-common

Now that the nfs client is installed we can mount the share and have a
place to put the disk image

LiveCD$ sudo mount server:/storage/share /media/server

Now the share on server looks like a local partition mounted at
/media/server we can create our disk image.

fdisk -l shows us the hard disk is /dev/sda and that there is one NTFS
partition. Now we can use dd to create a disk image.
Caution: dd allows you to read from and
write to a device directly. A careless command here can destroy your data.
Measure twice and cut once.

LiveCD$ dd if=/dev/sda of=/media/server/laptop_disk.img

Normally, dd takes a while to make a disk image but we get a disk error almost
immediatly and dd aborts. Fortunately there is ddrescue, actually there are two
ddrescue programs, we are using the GNU ddrescue program. ddrescue works
almost exactly like dd, except that it is intended to work on faulty drives and
can compensate for disk errors. ddrescue does not come on the live CD and is
not available in the APT repository, but we can download it from the web, place
it in the already mounted nfs share and install it from there.

ddrescue successfully images the disk. The next task is to make a copy of
the disk image so that, in the event that an attempt to fix the disk image goes bad
we can, at least, get back to this point with a minimum of effort. We will do
all our work on the image (mary_inspiron_6000.img), and keep the original
(mary_inspiron_6000.img.orig) untouched as an archive and reference.

LiveCD$ cp -p mary_inspiron_6000.img mary_inspiron_6000.img.orig

Now comes the fun part, looking to see what we can save.

3 Recovery

Recovery goes surprisingly well, with one exception that I'll detail later.
I mount the working image (mary_inspiron_6000.img) as the d drive on a virtual
Windows XP machine I have set up for disk recovery and run a variety of tools
against it.

diskpart gives information on the disks and their partitions on Windows XP

Chkdsk repairs the volume, now we reverse the backup procedure and use dd
across the nfs share to copy the repaired image back to a new hard drive. Now
it is time to test the repaired partition and see if it will boot. SUCCESS! the
disk boots and we now have a repaired system.

Now that we have the system repaired, it's time to discuss that problem I
mentioned that we would get to later. The image has been placed on a new hard
disk that is much larger than the image we have 93 GB of free space we would
like to be able to access. Although Windows reports the paritition as healthy
the Linux tools I used to try and extend the partition all reported an error
that prevented them from extending the partition.

Fortunately, Microsoft provides a tool for extending a disk partition.
diskpart will extend an existing partition into free disk space, but does not
extend system partitions. No problem, using a USB to Hard Drive cable the disk
can be attached to an existing system. While attached to that system it is not
the system drive and can be extended easily and surprisingly quickly.

After the disk is placed back in the laptop it boots and works without a
problem.

4 Conclusion

Linux provides an extremely versitile toolbox for repairing problems. It
accomplishes this, in many cases, by bypassing the structure of an operating
system and addressing the hardware directly. It's neworking allows
information to be passed between machines quickly and efficiently and the
virtualization makes it possible to present as other operating systems and
environments. With all of Linux's strengths, in some situations bypassing the
operating system is not the best solution and a Windows system command is the
proper tool for the job.

While all this is exciting and enjoyable from a technical standpoint, the
important thing is that Mary's laptop is working again and she can go back to
school and be successful.

6 FAQ

Q: Why do you didn't use System Rescue CD?

A: To be honest I used the tools at hand and the ones I was familiar with. I was very concerned that the Ubuntu Workstation CD tried to repair the NTFS partition before I had a chance to image it. I have downloaded System Rescue CD and will be evaluating it for future use, thank you for the recommendation!

Should the need arise I may also evaluate GetDataBack NTFS, but it is a pay application and I prefer free as in pizza.

Q: Why not mention testdisk?

A: I didn't use it. I checked out it's list of features and I didn't need any of them for this job... that being said, it looks like an awesome tool and it will be going into my toolbox. http://www.cgsecurity.org/wiki/TestDisk

Q: What virtualization software did you use (Virtualbox...)?

A: Apologies for the lack of detail, it didn't seem relevent at the time since any virtualization technology should do the job. I used kvm for this recovery and included a helpful link above.

Q: rather than using diskpart to grow the partition, I suggest using parted/gparted or ntfsresize (part of ntfsprogs).

A: Not a question, but here goes anyway: again, apologies for my lack of clarity. A whole lot of failed attempts and incomplete successes were snipped from this document to provide just the meat of the article (I blame it on having read to many man pages).

gparted failed to resize the partition and returned an unknown error. My assumption was that even though I had imaged the disk and moved the image to a known good hard drive some flag on the NTFS partition was not cleared by chkdsk and was reporting a phantom error to linux.

I don't recall attempting ntfsresize, it will also go in my toolbox for next time!

Thank you to everyone that took the time to reply! Your suggestions will make me better the next time I have to do data recovery.

I do professional data recovery using linux. GNU ddrescue is a godsend. One thing I would like to mention though: rather than using diskpart to grow the partition, I suggest using parted/gparted or ntfsresize (part of ntfsprogs). they both work very well and can be run on images or disks.